Professional Documents
Culture Documents
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright,
no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form
or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, our
provision of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual
property.
The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any
such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their
accuracy, and the products may change over time. In addition, the descriptions are intended as brief highlights to aid
understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their
respective manufacturers.
© 2013 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express
authorization of Microsoft Corp. is strictly prohibited.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
To date, processes used to remediated Active Directory issues in customer environments have
been inconsistent at best. Each customer has relied upon interpretations of the guidance,
expensive consulting, and the varied skill sets they have local to their organizations. The result
has been long delays in correcting errors with corresponding delays in deployment and
associated customer dissatisfaction. Microsoft has recognized that customers need a basic tool to
alleviate this pain.
The Microsoft Office 365 IdFix tool provides customers the ability to identify and remediate the
majority of object synchronization errors in their Active Directory forests in preparation for
deployment to Office 365. Analysis from the Support cases per month shows that roughly 60%
of all errors seen daily fall into duplicate or malformed proxyAddresses and userPrincipalName.
The utility does not fix all errors, but it does find and fix the majority. This remediation will then
allow them to more successfully synchronize users, contacts, and groups from the on-premises
Active Directory into the Microsoft Office 365 environment.
Note: IdFix may identify errors beyond those that emerge during synchronization. The most
common example is compliance with rfc 2822 for smtp addresses. Although invalid
attribute values can be synchronized to the cloud the best practice recommendation
from the product group is that these errors be corrected.
The remediation effort is focused on directory synchronization errors which may be raised even
if the on-premises environment seems to be operating normally. Remember that the directory
synchronization tools check for values that could potentially cause issues with cloud services
that may not cause issues in the on-premises environment.
2.1 Functionality
This document describes how to use the IdFix tool to perform the discovery and remediation of
the objects and their attributes from the on-premises Active Directory environment and is
intended for the Active Directory administrators responsible for supporting the Office 365
service. The Administrator using the tool should understand the implications of modifying
directory objects and attributes.
IdFix queries all domains in the currently authenticated forest and displays object attribute
values which would be reported as errors by the supported directory synchronization tool. The
datagrid supports the ability to scroll, sort, and edit those objects in a resulting table to produce
compliant values. Confirmed values can then be applied to the forest with the ability to undo
updates. Transaction rollback is supported.
In the case of invalid characters, a suggested “fix” is displayed where it can be determined from
the existing value. Changes are applied only to records for which the customer has set an
ACTION value. Confirmation of each change is enforced.
Note: Suggested values for formatting errors start with the removal of invalid characters and
then the value must be updated by the user. It is beyond the scope of this utility to
determine what the user really wanted when a mistake in formatting is detected.
Not all objects should be made available for editing as some could cause harm to the source
environment; e.g. critical system objects. These objects are excluded from the IdFix datagrid.
Well Known Exclusions as defined by the Deployment Guide are supported.
Data can be exported into CSV or LDF format for offline editing or investigation. Save to File is
supported.
Since IdFix makes changes in the customer environment, logging is included. Verbose logging is
enabled by default.
Support for both Multi-Tenant and Dedicated versions of Office 365 are enabled in this release.
The rule sets are selected via the Settings icon on the menu.
Note: Additional functionality will be considered for future releases, and suggestions for
improvement are very much appreciated.
2.2 Requirements
The hardware, software, and other requirements and considerations for running IdFix are
covered in this section.
4 GB ram (minimum)
2 GB of hard disk space (minimum)
Queries are via native LDAP and have been tested with Windows
Active Directory
Server 2008 R2, but all versions should be expected to work.
2.3.1 Multi-tenant
List of attributes that are synchronized to Office 365 and attributes that are written back to the
on-premises Active Directory Domain Services
9
2.3.2 Dedicated
2.4 Installation
►To install the IdFix tool
Extract the zip, copy all the files in the IdFix folder to a folder on the local hard drive of a
workstation that meets all stated requirements.. Rename the executable file to end in an EXE
extension. There are no other dependencies. The location of the program files is arbitrary.
A new verbose log is created each time you run the application.
All changes applied to the forest are saved in separate Undo files with a date and time
stamp.
Note: Although IdFix tracks its own updates, it is not able to track updates made by other
machines or applications.
10
1) Log-on to the workstation where you installed IdFix using an account which can read and, if
desired, write changes to your on-premises Active Directory objects.
2) Directory synchronization rule sets are different depending on which version of Office 365 is
in use. The Settings icon allows you to choose relevant options for the next query.
a. Multi-Tenant or Dedicated/ITAR rule sets in order to detect attribute values known to
cause directory synchronization errors relevant to the version of Office 365 in use.
b. The scope of the query can be limited by altering the Filter value with a valid LDAP
syntax value.
c. Port can be set to 3268, 389, or 636. The default value when the application is first
started is 3268. This allows the query to return values from all trees in the default
forest. While it is unusual for forests to contain more than one tree it does happen.
You will notice that after updates are applied the port will automatically change to
389. This is because writes must be applied to the writeable naming context which
11
3) Query for relevant directory synchronization errors. IdFix queries all objects with a filter for
applicable attributes. IdFix updates the status line on the bottom of the dataGridView and
writes all values to the log.
4) Cancel terminates a running query if the user does not wish to continue.
5) IdFix applies rules against the required AD attributes to determine which objects must be
remediated and presents you with any detected error conditions.
a. IdFix displays items with information related to the object in question and the error
conditions. Objects are identified by the distinguishedName with the associated error
type and value that is in error.
b. Where feasible, IdFix presents a recommendation for corrective data in the UPDATE
12
4/17/2015 10:38:03 AM QUERY COUNT: 165 ERROR COUNT: 112 DUPLICATE CHECK COUNT: 333
10) In the event of an unwanted correction, you may perform a transaction update Undo one
level deep per UPDATE transaction.
Apply generates a LDF file for the transactions that are applied
14
Note: IdFix cannot track updates to objects or attributes that occur outside of the
application. If you and someone else edit the same attribute, then the last change is the one
committed to the object.
11) You have the ability to Export what’s in the table to review with others before taking
corrective action, or to use as the source of a later bulk import using the Import option.
12) You have the ability to Import data from a CSV file to allow offline manual edits to be
applied. Be very careful with manually edited files and use an Exported CSV file as a
template. Testing is strongly recommended and there is no guarantee that what you do offline
will be correctly recognized by IdFix. See section 4.2 for additional information on Importing
data.
13) If the query returns more than 50,000 errors the menu items Next Block and Previous Block
are displayed. The number of errors that can be displayed on the screen at one time is
limited to avoid application exceptions resulting from exceeding physical memory.
14) You may always submit suggestions for improvement or support requests via the Feedback
icon which will go directly to IdFixSupport@Microsoft.com.
3.2.1 Query/Sort/Fix
We’ve seen a number of consultants use the tool to find errors and then export the values and
proceed to fix the errors manually. This is time consuming and actually introduces risk into the
process. The tool was designed to find and fix errors from the interface. The greater amount of
time between error detection and error correction increases the probability that changes will
have occurred to the source environment rendering the error data stale.
Most of what you’ll see are simple errors and only a fraction actually need analysis. Start by
eliminating those errors for which there is no alternative and progress to those that require a
decision. Always remember that you can Undo an update.
15
3. Character – Do these first as they will comprise a large percentage of the volume while
requiring little if any review. Character errors are invalid for the attribute checked and
the update value shows them removed. Bulk select, mark them Edit, and Apply
(hereafter designated as BEA).
4. Format – Single value errors of “format” that eliminate issues with white space, trailing
periods, etc. Commonly found with mailNickName. BEA.
5. Domain and TopLevelDomain – If it’s for UPN then you need to fix them. If it’s for a
proxyAddress then ask if the namespace will be used in the tenant. If not, then ignore
them. If the customer has used a non-routable domain then this may form the majority
of your errors. Think about whether the namespace will be used. If the anser is yes, then
we can Export, do a bulk edit, Import, and Apply.
6. Simple multiple value errors – Next look at things like “character, localpart”. Most of
these will have an obvious mistake with the suggested value eliminating the problem so
BEA.
7. By now you’re down to a much smaller result set. Rerun your Query so that you can
just see what’s left to fix.
8. Duplicates – If they are UPN’s then fix them. The suggested flag in the update column;
e.g. (E), will use other attributes in the object to make a best guess. If they are
proxyAddresses will the namespaces be used in the tenant? If not they can be ignored
though it can help to eliminate future problems if you avoid synchronizing invalid data
to the tenant.
9. At this point you should be down to a handful of errors. Sort and conquer.
10. Again, remember that if you make a mistake that you can Undo the update. All
updates are logged twice. In the Verbose log and the Update file.
Based on past experience this process should only take a couple of hours for even inexperienced
resources to complete. As you become more comfortable with the update suggestions you may
choose to just Accept and Apply which will use all suggested values. It’ll get rid of a large
number of the simple errors so you can focus on those that require analysis. Our experience has
shown that this is correct more often than manual choices.
16
3.3.2 Format
The Value violates the format requirements for the attribute usage. The suggested Update will
show the Value with any invalid characters removed. If there are no invalid characters the
Update and Value will appear the same. It is up to the user to determine what they really want in
the Update. For example SMTP addresses must comply with rfc 2822 and mailNickName cannot
start or end with a period.
3.3.3 TopLevelDomain
This applies to values subject to rfc2822 formatting. If the top level domain is not internet
routable then this will be identified as an error. For example a smtp address ending in .local is
not internet routable and would cause this error.
3.3.4 DomainPart
This applies to values subject to rfc2822 formatting. If the domain portion of the value is invalid
beyond the top level domain routing this will be generated.
3.3.5 LocalPart
This applies to values subject to rfc2822 formatting. If the local portion of the value is invalid
this will be generated.
3.3.6 Length
The Value violates the length limit for the attribute. This is most commonly encountered when
the schema has been altered. The suggested Update will truncate the value to the attribute
standard length.
3.3.7 Duplicate
The Value has a duplicate within the scope of the query. All duplicate values will be displayed as
errors. The user can Edit or Remove values to eliminate duplication.
3.3.8 Blank
The Value violates the null restriction for attributes to be synchronized. Only a few values must
contain a value. The suggested Update will leverage other attribute values in order to generate
a likely substitute.
18
19
4.1.1 Settings
All Settings are now available through a single dialog. The values shown are based on
defaults pulled from the locally connected forest. Users can override with different values
if desired.
4.1.4 Ports
Port can be set to 3268, 389, or 636. The default value when the application is first started
is 3268. This allows the query to return values from all trees in the default forest. While it
is unusual for forests to contain more than one tree it does happen. You will notice that
after updates are applied the port will automatically change to 389. This is because writes
must be applied to the writeable naming context which does not support 3268 as a valid
option. Port 389 is the default for generic LDAP queries and 636 can be selected if you
require LDAP over SSL.
4.2.1 Feedback
Bug reports and desired feature requests can be sent to IdFixSupport@Microsoft.com
where it will reviewed. The address can also be found in a dialog box launched from the
Feedback menu (smiley face) icon.
4.2.2 Performance
IdFix performance will vary based on the hardware utilized and the network latency to the
target server. Machines should have the minimum RAM specified and will benefit by using
faster hard drives since temporary files are written to disk during the Query. High latency
20
21
4.2.9 Sorting
The data columns can be sorted by clicking on the column header as is standard in
dataGridView UX behavior. Clicking again will reverse the sort.
25
26